Vulners
Lucene search
MyBB Extended Useradmininfo Plugin 1.2.1 - Cross Site Scripting
# Exploit Title: Extended Useradmininfo MyBB Plugin 1.2.1 - Cross Site
Scripting
# Google Dork: N/A
# Date: 09.02.2014
# Exploit Author: Fikri Fadzil - [email protected]
# Vendor Homepage: http://forum.mybboard.de/user-9022.html
# Software Link: http://mods.mybb.com/view/extended-useradmininfo
# Version: 1.2.1
# Tested on: PHP
Description:
This plugin shows advanced Informations about a user, such as last IP, User
Agent, Browser and Operating System. The information will be shown in a
user profile and visible only for people who are able to see the
adminoptions on user profiles.
Proof of Concept
1. Create a user account.
2. Change your user-agent to "Mozilla<script>alert(1)</script>".
3. Login and then... logout.
* The script will be executed whenever the administrator view your profile.
Solution:
Replace the content of "inc/plugins/extendeduseradmininfos.php" with this
fix:
http://pastebin.com/ncQCvwdq
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1